Re: [Openvpn-devel] option --crl-verify PATH dir
> -Original Message- > From: David Sommerseth [mailto:openvpn.l...@topphemmelig.net] > Sent: dinsdag 5 februari 2013 16:00 > To: Adriaan de Jong > Cc: openvpn-devel@lists.sourceforge.net; Jan Just Keijser; James Yonan > Subject: Re: [Openvpn-devel] option --crl-verify PATH dir > > On 04/02/13 08:43, Adriaan de Jong wrote: > >> -Original Message- > >> From: David Sommerseth [mailto:openvpn.l...@topphemmelig.net] > >> Sent: zondag 3 februari 2013 15:52 > >> To: Jan Just Keijser > >> Cc: openvpn-devel@lists.sourceforge.net > >> Subject: Re: [Openvpn-devel] option --crl-verify PATH dir > >> > >> On 03/02/13 12:02, Jan Just Keijser wrote: > >>> hi, > >>> > >>> what is the second option to '--crl-verify' supposed to do? in > >>> options.c it sets a flag SSLF_CRL_VERIFY_DIR which then triggers > the > >>> function 'verify_check_crl_dir'. However, this function does not > >>> seem to do anything > >> > >> Quickly looked at the code ... with the 'dir' flag (which sets > >> SSLF_CRL_VERIFY_DIR), it's no longer a typical CRL file validation. > >> If you create (touch) a file in the defined directory with the file > >> name matching a particular client's serial number; the connection > >> will be denied. > >> > > > > Confirmed, with the footnote that this is a weird way of going about > things. > > > > I would like to suggest deprecating this option from 2.4 (or 2.3.1?) > onwards, and forcing people to either: > > > > - Create an actual CRL file. This is not difficult. In general, > people using OpenVPN should be managing their own CA in the OpenVPN > world. > > - Failing that, create a custom script to do this. > > > > I'm always open for discussion, but imho this should not be core > functionality in OpenVPN. > > I agree that this directory based "CRL" with empty files shouldn't be a > core part of OpenVPN. This is in my eyes what --tls-verify scripts is > supposed to solve. I also agree with JJK, that implementing proper CA > path support makes a lot of sense. Even though PolarSSL lacks this > support now, I believe Paul wouldn't instantly object a patch > implementing a CA path support. > > However, I'm not sure it's a good idea to remove this feature in 2.4 or > earlier. There are people depending on this feature. And it touches > the same discussion topic we had at FOSDEM regarding --compat-names and > --no-name-remapping. > > If removed, I would say it should be removed in OpenVPN 3. We can > start warning about it in 2.4. However, I'd really like to have James > feedback on this as well before we just decide to kill it off at a > later release. Just because I want to avoid the same > situation/discussion as we had at FOSDEM. > I agree, that's why I suggested deprecation of this feature. We could even provide an example script that performs the same functionality. About JJK's issue, I'm not sure whether Paul has support for loading all CRLs in a directory planned, but it should be a small patch now that crt loading exists. As an aside, I'm working on a patch that moves CRL verification from OpenVPN into the SSL library (where it should be). Expect that within a few days. Adriaan
Re: [Openvpn-devel] option --crl-verify PATH dir
On 04/02/13 08:43, Adriaan de Jong wrote: >> -Original Message- >> From: David Sommerseth [mailto:openvpn.l...@topphemmelig.net] >> Sent: zondag 3 februari 2013 15:52 >> To: Jan Just Keijser >> Cc: openvpn-devel@lists.sourceforge.net >> Subject: Re: [Openvpn-devel] option --crl-verify PATH dir >> >> On 03/02/13 12:02, Jan Just Keijser wrote: >>> hi, >>> >>> what is the second option to '--crl-verify' supposed to do? in >>> options.c it sets a flag SSLF_CRL_VERIFY_DIR which then triggers the >>> function 'verify_check_crl_dir'. However, this function does not seem >>> to do anything >> >> Quickly looked at the code ... with the 'dir' flag (which sets >> SSLF_CRL_VERIFY_DIR), it's no longer a typical CRL file validation. If >> you create (touch) a file in the defined directory with the file name >> matching a particular client's serial number; the connection will be >> denied. >> > > Confirmed, with the footnote that this is a weird way of going about things. > > I would like to suggest deprecating this option from 2.4 (or 2.3.1?) onwards, > and forcing people to either: > > - Create an actual CRL file. This is not difficult. In general, people using > OpenVPN should be managing their own CA in the OpenVPN world. > - Failing that, create a custom script to do this. > > I'm always open for discussion, but imho this should not be core > functionality in OpenVPN. I agree that this directory based "CRL" with empty files shouldn't be a core part of OpenVPN. This is in my eyes what --tls-verify scripts is supposed to solve. I also agree with JJK, that implementing proper CA path support makes a lot of sense. Even though PolarSSL lacks this support now, I believe Paul wouldn't instantly object a patch implementing a CA path support. However, I'm not sure it's a good idea to remove this feature in 2.4 or earlier. There are people depending on this feature. And it touches the same discussion topic we had at FOSDEM regarding --compat-names and --no-name-remapping. If removed, I would say it should be removed in OpenVPN 3. We can start warning about it in 2.4. However, I'd really like to have James feedback on this as well before we just decide to kill it off at a later release. Just because I want to avoid the same situation/discussion as we had at FOSDEM. -- kind regards, David Sommerseth signature.asc Description: OpenPGP digital signature
Re: [Openvpn-devel] option --crl-verify PATH dir
I think this option should remain. This is useful for temporarily disabling users for VPNs that don't incorporate user/pass authentication. I am opposed to deprecating this function. - Eric F Crist On Feb 4, 2013, at 01:43:10, Adriaan de Jong <dej...@fox-it.com> wrote: >> -Original Message- >> From: David Sommerseth [mailto:openvpn.l...@topphemmelig.net] >> Sent: zondag 3 februari 2013 15:52 >> To: Jan Just Keijser >> Cc: openvpn-devel@lists.sourceforge.net >> Subject: Re: [Openvpn-devel] option --crl-verify PATH dir >> >> On 03/02/13 12:02, Jan Just Keijser wrote: >>> hi, >>> >>> what is the second option to '--crl-verify' supposed to do? in >>> options.c it sets a flag SSLF_CRL_VERIFY_DIR which then triggers the >>> function 'verify_check_crl_dir'. However, this function does not seem >>> to do anything >> >> Quickly looked at the code ... with the 'dir' flag (which sets >> SSLF_CRL_VERIFY_DIR), it's no longer a typical CRL file validation. If >> you create (touch) a file in the defined directory with the file name >> matching a particular client's serial number; the connection will be >> denied. >> > > Confirmed, with the footnote that this is a weird way of going about things. > > I would like to suggest deprecating this option from 2.4 (or 2.3.1?) onwards, > and forcing people to either: > > - Create an actual CRL file. This is not difficult. In general, people using > OpenVPN should be managing their own CA in the OpenVPN world. > - Failing that, create a custom script to do this. > > I'm always open for discussion, but imho this should not be core > functionality in OpenVPN. > > Kind regards, > Adriaan > > > -- > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_jan > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] option --crl-verify PATH dir
Adriaan de Jong wrote: -Original Message- From: David Sommerseth [mailto:openvpn.l...@topphemmelig.net] Sent: zondag 3 februari 2013 15:52 To: Jan Just Keijser Cc: openvpn-devel@lists.sourceforge.net Subject: Re: [Openvpn-devel] option --crl-verify PATH dir On 03/02/13 12:02, Jan Just Keijser wrote: hi, what is the second option to '--crl-verify' supposed to do? in options.c it sets a flag SSLF_CRL_VERIFY_DIR which then triggers the function 'verify_check_crl_dir'. However, this function does not seem to do anything Quickly looked at the code ... with the 'dir' flag (which sets SSLF_CRL_VERIFY_DIR), it's no longer a typical CRL file validation. If you create (touch) a file in the defined directory with the file name matching a particular client's serial number; the connection will be denied. Confirmed, with the footnote that this is a weird way of going about things. I would like to suggest deprecating this option from 2.4 (or 2.3.1?) onwards, and forcing people to either: - Create an actual CRL file. This is not difficult. In general, people using OpenVPN should be managing their own CA in the OpenVPN world. - Failing that, create a custom script to do this. I'm always open for discussion, but imho this should not be core functionality in OpenVPN. I agree that CA cert and CRL management should not be part of the "core" functionality of OpenVPN. In one of my setups I've got a --ca-path containing 108 different CA certs, with 108 CRLs for each of them - concatenating those 108 CRLs into one big CRL.pem file every day would be a major nuisance... OpenSSL has very nice support (--ca-path) for a directory containing a set of CA certs and their corresponding CRLs; AFAIK PolarSSL does not have this option - so perhaps there is some usefulness to this option after all? share and enjoy, JJK
Re: [Openvpn-devel] option --crl-verify PATH dir
> -Original Message- > From: David Sommerseth [mailto:openvpn.l...@topphemmelig.net] > Sent: zondag 3 februari 2013 15:52 > To: Jan Just Keijser > Cc: openvpn-devel@lists.sourceforge.net > Subject: Re: [Openvpn-devel] option --crl-verify PATH dir > > On 03/02/13 12:02, Jan Just Keijser wrote: > > hi, > > > > what is the second option to '--crl-verify' supposed to do? in > > options.c it sets a flag SSLF_CRL_VERIFY_DIR which then triggers the > > function 'verify_check_crl_dir'. However, this function does not seem > > to do anything > > Quickly looked at the code ... with the 'dir' flag (which sets > SSLF_CRL_VERIFY_DIR), it's no longer a typical CRL file validation. If > you create (touch) a file in the defined directory with the file name > matching a particular client's serial number; the connection will be > denied. > Confirmed, with the footnote that this is a weird way of going about things. I would like to suggest deprecating this option from 2.4 (or 2.3.1?) onwards, and forcing people to either: - Create an actual CRL file. This is not difficult. In general, people using OpenVPN should be managing their own CA in the OpenVPN world. - Failing that, create a custom script to do this. I'm always open for discussion, but imho this should not be core functionality in OpenVPN. Kind regards, Adriaan
Re: [Openvpn-devel] option --crl-verify PATH dir
On 03/02/13 12:02, Jan Just Keijser wrote: > hi, > > what is the second option to '--crl-verify' supposed to do? in options.c > it sets a flag SSLF_CRL_VERIFY_DIR which then triggers the function > 'verify_check_crl_dir'. However, this function does not seem to do > anything Quickly looked at the code ... with the 'dir' flag (which sets SSLF_CRL_VERIFY_DIR), it's no longer a typical CRL file validation. If you create (touch) a file in the defined directory with the file name matching a particular client's serial number; the connection will be denied. -- kind regards, David Sommerseth signature.asc Description: OpenPGP digital signature
